Twitter afflitter – 330 million passwords exposed

Twitter

If you are a twit – change your Twitter password NOW. A ‘glitch’ exposed 330 million passwords in plain text on its internal network.

While Twitter is sure no employee or contractor pilfered the passwords, it says all users should change passwords NOW.

A Twitter spokesman said: “When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it.

“We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone. Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password.”

What happened at Twitter

Twitter masked passwords through a process called hashing using bcrypt. This replaces the actual password with a random set of numbers and letters in Twitter’s system.

This allows its systems to validate users account credentials without revealing the password – a kind of passwords password.

Due to a bug, plain-text passwords went to an internal log before completing the hashing process.

GadgetGuy’s take – change your password. You would be a twit not to

Ironically this was revealed on world password day A solemn reminder that passwords need to be changed regularly and not to use 12345 or password as your password.

Here are a few guidelines

  • It is OK to use the same easy to remember password for non-financial or sites where security is not the issue. For example, your smart lightbulb, vacuum cleaner, newspaper delivery, gym membership, loyalty cards etc. Think – would it matter if a cybercriminal hacked my coffee card!
  • It is NOT OK to use any variant of that for critical or financial sites. Banks, government, medical need strong and different combinations of uppercase letters, numbers and symbols.
  • Don’t use any password that belongs to a pet, brother, sister, mother etc. Don’t use any password that is your date of birth, even if you use it backwards. Cybercriminals are now mining social media sites like Faecesbook to add those names to your profile as possible password root names
  • If it is easier for you to remember, use a phrase and perhaps the date you first used it. MyCurrentHome*2000 or MyNewCar*2016.
  • If you are forgetful use a password manager or vault but do not forget the password you used. Avoid free password managers as the ‘product is you.”
  • Implement multi-factor authentication where possible. For example, when you log into your bank, an SMS verification code is sent to your smartphone.
  • Don’t write passwords down on stick notes or put them in contacts etc. If you must use electronic storage make sure the device is protected by a strong password too.
  • If your smartphone offers biometric identification (facial recognition, fingerprint) use it!!!